Download - Betabot
![Page 1: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/1.jpg)
Dissecting BetaBotRaghav PandeResearcher @ FireEye
![Page 2: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/2.jpg)
Disclaimer
The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely mine and have nothing to do with the company or the organization in which i am currently working.
However in no circumstances neither me nor Cysinfo is responsible for any damage or loss caused due to use or misuse of the information presented here.
![Page 3: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/3.jpg)
ContentIntroductionStaticBehavior
Anti R.E.Injection
Hooking MethodologyInteresting Areas
![Page 4: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/4.jpg)
Why Betabot?Difficult to understandNo Cracked builderNo good WriteupSuper Duper Rootkit as AdvertisedComplaint for RemovalHarassment for other Criminals
![Page 5: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/5.jpg)
InformationSamples used can be downloaded from malwarenet.comBetabot 1.7 was usedBot was analyzed on Win7 Sp1 64bitRequired Tools: Ollydbg, Windbg, x64dbg, Ida Pro
![Page 6: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/6.jpg)
IntroductionTypical Botnet but with good featuresBotkillerAV KillerUAC SE trickUserKit for x86/x64Anti BootkitUsermode SandBox evasionProactive DefenseDnsBlocker/RedirectFile Search & GrabFormgrabber for IE/FF/CH (x86 & x64) including SPDY grabber
![Page 7: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/7.jpg)
Advert
![Page 8: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/8.jpg)
![Page 9: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/9.jpg)
StaticThrow Wild binary in IDA
![Page 10: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/10.jpg)
UnpackingUnpacking 101: Throw in Olly
Bp @ ntdll!NtWriteVirtualMemory
Bp @ ntdll!NtResumeThread
AutomateDump PE header
![Page 11: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/11.jpg)
Unpacking
![Page 12: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/12.jpg)
UnpackingPlace 0xEb 0xFe @ CreateProcessInternalWNo debugger usageAutomateAttach OllyBp @ CreateProcessInternalWHit, Then Automate till ntdll!NtWriteVirtualMemory comes up
![Page 13: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/13.jpg)
Unpacking
![Page 14: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/14.jpg)
Unpacking
![Page 15: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/15.jpg)
Unpacking stage2
![Page 16: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/16.jpg)
Unpacking stage2Random Routine & POI
![Page 17: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/17.jpg)
Unpacking stage2Last Routine & POI
![Page 18: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/18.jpg)
Unpacking Stage2 Et' Voila
![Page 19: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/19.jpg)
BehaviorAnti RE
FS:[0x30] + 2DbgBreakPoint() = 0x90Ntdll!NtQueryInformationProcess()Ntdll!NtSetInformationThread()
![Page 20: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/20.jpg)
BehaviorNtQueryInformationProcess
![Page 21: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/21.jpg)
BehaviorNtQueryInformationProcess
Note: [119f590] = address of ZwQuerySectionif [Ebp - 1] == 1 (debugger found)modify Fs:[0xc0] from Far jump 0x0033:0x7*******to ZwQuerySection
![Page 22: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/22.jpg)
BehaviorEIP result
![Page 23: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/23.jpg)
BehaviorOther aspects
![Page 24: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/24.jpg)
Injection & MigrationCreateProcessInternalW(suspended)CreateSection()MapViewOfSection(), Unmap(), MapViewOfSection()CreateSection(2)MapViewOfSection(), Unmap(), MapViewOfSection(2)ResumeThread()ExitProcess()
![Page 25: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/25.jpg)
Injection & Migration
![Page 26: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/26.jpg)
Injection & Migration
![Page 27: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/27.jpg)
Injection & Migration
![Page 28: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/28.jpg)
Injection & Migration
![Page 29: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/29.jpg)
Injection & Migration
![Page 30: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/30.jpg)
Injection & Migration
![Page 31: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/31.jpg)
Injection & Migration
![Page 32: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/32.jpg)
Injection & Migration
![Page 33: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/33.jpg)
Injection & Migration
![Page 34: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/34.jpg)
Injection & Migration
![Page 35: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/35.jpg)
HooksHow Normal Applications Hook and why
![Page 36: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/36.jpg)
Hooks32bit system without hooks
![Page 37: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/37.jpg)
Hooks32bit API on WOW64bit system
without hooks
![Page 38: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/38.jpg)
Hooks3 different areas of hooking in Betabot
Hook @ KiFastSystemCall (strictly x86 Environment)Hook @ Fs:[0xc0] (WOW64 handler for x86 API)Hook @ 64Bit Api directly
![Page 39: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/39.jpg)
Hooks32bit
![Page 40: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/40.jpg)
HooksWow64
![Page 41: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/41.jpg)
Hooks64bit Process
![Page 42: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/42.jpg)
Hooks
![Page 43: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/43.jpg)
Explanation for 64bit handler
![Page 44: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/44.jpg)
Interesting Areas
![Page 45: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/45.jpg)
Interesting Areas
![Page 46: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/46.jpg)
Interesting Areas
![Page 47: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/47.jpg)
Interesting Areas
![Page 48: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/48.jpg)
Interesting Areas
![Page 49: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/49.jpg)
Interesting Areas
![Page 50: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/50.jpg)
Interesting Areas
![Page 51: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/51.jpg)
Interesting Areas
![Page 52: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/52.jpg)
Interesting Areas
![Page 53: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/53.jpg)
Interesting Areas
![Page 54: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/54.jpg)
Referencesblog.gdatasoftware.comkernelmode.info
![Page 55: Betabot](https://reader031.vdocuments.pub/reader031/viewer/2022030309/58f2bd231a28ab127b8b459d/html5/thumbnails/55.jpg)
Queries?